Skip to main content
  1. Home
  2. Computing
  3. Web
  4. News

Latest bugs in LastPass allowed attackers to steal passwords

Add as a preferred source on Google

Password manager LastPass is patching a number of critical vulnerabilities in its software that left users’ passwords potentially leaking.

No software is ever totally safe and while password managers can offer a degree of security and convenience, they are not impervious as these security flaws demonstrate.

Recommended Videos

The latest bugs were discovered by Google Project Zero researcher Tavis Ormandy, who is renown for finding and disclosing flaws in security software. Ormandy said he found a vulnerability that allows for the stealing of passwords by running a binary version of the password manager’s extension.

In a proof of concept, Ormandy demonstrated using the code to launch an application. He opened the calculator in Windows but, he said, a malicious actor could use this code to steal password details when the manager is entering them into the login fields.

“That doesn’t look good, this script will proxy unauthenticated window messages to the extension. This is clearly a mistake, because anybody can do [it],” he wrote in his advisory.

“Therefore, this allows complete access to internal privileged LastPass RPC [remote procedure calls] commands,” he said.

https://twitter.com/taviso/status/844312124541186048

LastPass said in a tweet that this has been fixed and promised a blog post with more details on what went wrong but the post has yet to materialize.

Ormandy also found remote code execution vulnerabilities in the password manager’s Chrome and Firefox extensions. The Chrome bug has since been patched but the Firefox version remains unpatched for now but this may be due to a hold up on Mozilla’s end.

“We are aware of reports of a Firefox add-on vulnerability. Our security is investigating and working on issuing a fix,” said LastPass on Tuesday night.

This isn’t the first time that Ormandy has poked holes in LastPass’ software. In 2016, he disclosed a Firefox-related flaw that would have allowed an attacker to access someone’s extension, without them knowing, and delete the passwords.

Jonathan Keane
Jonathan is a freelance technology journalist living in Dublin, Ireland. He's previously written for publications and sites…
Claude Fable 5 is leaving subscriptions, but maybe not for good
High demand is pushing Claude Fable 5 out of subscriptions for now
Claude Fable 5 and Claude Mythos 5 Official Render

Anthropic’s most advanced publicly available Claude model is still leaving standard subscription access after July 7, but the company is now trying to calm fears that the move is permanent.

Fable 5 recently returned to Claude after drawing scrutiny from the U.S. government. Anthropic said it would be included on Pro, Max, Team, and select Enterprise plans for up to 50% of weekly usage limits through July 7. After that date, the model is set to move to usage-credit billing, meaning users will pay for access outside their regular plan limits.

Read more
Yet another research breaks the hype bubble for AI browsers serving serious security flaws
Four popular AI browsers can be exploited to steal your data from other open tabs.
ChatGPT Atlas browser on a MacBook.

AI browsers are being sold as the next big thing. They can summarize pages, book trips, and even make purchases for you. But a new study from the University of Washington found that four of the seven most popular ones come with a security risk serious enough to let malicious websites steal data from other sites you have open. The more capable the browser, the bigger the risk turns out to be.

The 30-year security rule that AI browsers are breaking

Read more
Valve just gave away the blueprint for its coolest Steam Machine mod
Valve giving away the recipe instead of the dish, and honestly, we're okay with it.
Valve Steam Machine Featured Design Coverplate

While Valve’s Steam Machine launched at a higher-than-expected price due to the AI-driven chip shortage, it seems that the company is not sitting on its haunches and is still working hard to make the product more enticing to users. 

One of the coolest features of the Steam Machine is the user-customizable front faceplate, and Valve has just made it better. The company open-sourced its "Inkterface" project, which allows users to build their own e-ink faceplate for the Steam Machine.

Read more